Moxa PT, EDS, ICS, IKS, and SDS Switches Out-of-Bounds Write Vulnerability Allowing Denial-of-Service

A denial-of-service vulnerability has been identified in multiple Moxa switch series, including PT, EDS, ICS, IKS, and SDS. This vulnerability arises from an out-of-bounds write issue caused by inadequate input validation, allowing data to be written beyond the limits of the buffer. Exploitation of this vulnerability can disrupt normal operations by overwriting memory and potentially causing system crashes or reboots. The vulnerability is particularly concerning when the affected switches are exposed to public networks, where attackers could remotely disrupt operations.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, causing system crashes or reboots, and disrupting normal operations.

Remediation

Users can upgrade to the latest firmware versions available for their specific switch series. For Moxa PT-7728 and PT-7828 Series switches, the security patch version 3.9.2 is available. For EDS, ICS, IKS, and SDS switches, please contact Moxa Technical Support for the security patch. General security recommendations include disabling Moxa Service and Moxa Service (Encrypted) temporarily if they are not required for operations.